Rhadamanthys Infostealer is currently being distributed through MSC files, exploiting vulnerabilities and executing commands via Microsoft Management Console (MMC). The distribution of such malware has increased since June 2024, notably taking advantage of the apds.dll vulnerability. Users are advised to be cautious when opening MSC files from unknown sources. Affected: MSC files, Microsoft Management Console, Windows users
Keypoints :
- Rhadamanthys Infostealer is transmitted via files with an MSC extension.
- MSC is an XML-based format executable by Microsoft Management Console (MMC).
- There are two key types of MSC malware targeting apds.dll vulnerabilities and using Console Taskpad for execution.
- MSC malware distribution has surged since June 2024, particularly versions exploiting apds.dll (CVE-2024-43572).
- The Code execution occurs either within a vulnerable DLL or through MMC features.
- Malicious MSC files can masquerade as MS Word documents and execute PowerShell scripts.
- Vulnerabilities associated with apds.dll have been patched, but Console Taskpad types remain a threat.
- Users should avoid executing MSC files from unrecognized sources to mitigate risks.
MITRE Techniques :
- T1203 β Exploit Public-Facing Application: Exploitation of vulnerability in apds.dll (CVE-2024-43572).
- T1059 β Command and Scripting Interpreter: Execution of PowerShell scripts from downloaded MSC files using Console Taskpad.
Indicator of Compromise :
- [MD5] 560024efca8e5730dc4decf2e2c252db
- [MD5] 7b26a25d7bf2be6fdc2810ba5f519b4a
- [MD5] 9b738d877e6590b40c2784be10c215d7
- [URL] https[:]//daddychill[.]nl[:]1537/77950e0740519/udpne49n[.]du0i8
- [URL] https[:]//oshi[.]at/SdUr/TSWY[.]txt
Full Story: https://asec.ahnlab.com/en/86391/